The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/aug27,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

1. South Korea Imprisons Spyware Peddler
2. Spy Sweeper and Window Washer
3. Note About The Feature
4. Spyware Peddlers' Private Conversation
5. Two Virus Creators Busted
6. Hats Off to the Kiwis
7. New Mailing Address
8. Any Dell Owners Out There?
9. Headlines

Permalink | Top

The internet will be a little safer for the next ten months. A South Korean court has ordered a man, identified only as Chung, to be imprisoned for ten months. His crime is creating a browser hijacker which forces a victim's browser to go to pornographic web sites. This same person previously spent eight months in jail for doing exactly the same thing.

How nice to find a country which recognizes that the creators of browser hijackers should go to prison. I hope the same thing happens here in the US. It just might happen, if Congress will ever shake out a final version of SPY ACT and send it to the President.

And let's all hope that Mr. Chung is happy with his new boyfriend during his ten month vacation.

Permalink | Top

Program: Spy Sweeper and Window Washer
Author: Webroot Software
Platform: Windows 98, ME, NT, 2000, XP
Discounts: $10.00 off for Window Washer. $10.00 off for one-year Spy Sweeper license. $30.00 off for a two-year Spy Sweeper license. These discounts expire September 9, 2005

"Spy Sweeper is the most effective standalone tool
for detecting, removing, and blocking spyware."
-PC Magazine, January 12, 2005

Spy Sweeper

Webroot's Spy Sweeper is one of the best antispyware programs available today. It can do a quick scan to find spyware in the most likely locations. It also can do a very thorough full scan which looks at *everything*.

While I was test driving it, I noticed that it was looking at the modules loaded into memory. I don't mean just processes. I mean that it was scanning every file loaded as a module by every process running in memory to see if it matched a known spyware. It also scans the entire hard drive for malicious files. That full scan takes a while, so you may want to use the built-in scheduler to do that when you are sleeping or away from home.

This new version of Spy Sweeper is extremely nice. It is very easy to use. It is very thorough. The protective options are very good - far better than the obligatory option of locking the Internet Explorer home page that many other programs provide. The new start up manager is a fantastic feature. I definitely recommend this new version of Spy Sweeper.

Here is a partial list of features:

• Internet Explorer favorites are protected from changes made by malicious web sites.
• Tracking cookies are detected and removed in real time.
• The Internet Explorer search and start pages are protected from being changed automatically.
• A memory shield detects known spyware as it loads in memory.
• There is a "Spy Installation Shield" which blocks known spyware as it tries to install.
• Files hidden inside of Alternate Data Streams (ADS) are blocked from executed. ADS refers to metadata information that can be embedded within a folder, similar to the ID3 tag in an MP3 file.
• There is an integrated tool for managing start up entries as well as an active shield that pops up an alert if a program suddenly shows up in a start up location.

Window Washer

Window Washer is a very cool, very useful program. You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history, and even those nearly impossible to delete index.dat files. With Windows Washer, you don't have to waste all that time and energy. Window Washer makes doing these tasks quick and easy.

Over time, you can free up gigs of hard drive space with regular cleanings. When I tested Window Washer for the first time, it cleared out over 700MB worth of garbage files, most of it temporary files left over from programs that hadn't cleaned up after themselves. It deleted all of these files very quickly. Since then, it has deleted over 10 GB of trash files through regular cleanings.

It also deletes files by overwriting their hard drive locations several times, which should make it impossible for any recovery program to recover the data. It uses various standards, such as NSA and DoD or you can configure the number of overwrites. If you want, you can overwrite files hundreds of times, although probably that is overkill.

Purchase Options:

Two-Year Spy Sweeper License: Only $29.95 for SpywareInfo readers. That is $30.00 off the normal price for a two-year subscription. (Reduced price valid until September 9, 2005)
Link: http://www.webroot.com/products/specialsdb.php?code=zrt62&rc=325

One-Year Spy Sweeper License: $19.95 after a $10.00 discount (expires Sept 9, 2005)
Link: http://www.webroot.com/products/specialsdb.php?code=btwg51&rc=325

Window Washer License: $19.95 after a $10.00 discount (expires Sept 9, 2005)
Link: http://www.webroot.com/products/specialsdb.php?code=ekbk4&rc=325

Usually, the "featured program" is a one week feature. However, because so many students (and new computers) are going back to school and classes, this offer from WebRoot will run for two weeks. If you are a student or have a student going back to school, these programs can provide far more than their value in preventing problems and allowing that essential computer to run efficiently.

If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Anyone buying many copies of either program, please contact Catherine.

Permalink | Top

Last week I forgot to put the expiration date for the discount on the featured product. Whatever is being featured is always discounted. That discount expires usually a week or two after it is announced. Usually I remember to put the date on it. Sometimes, I forget. Just keep that in mind.

By the way, we are trying to prod some of the companies that we feature into creating a "buy for a friend" function. That would let one person pay for the program while having it registered to someone else.

The available pool of antispyware and privacy protection programs that I feel are acceptable to recommend is limited and I know many of you already have copies of them. If we can convince these companies to implement this, you could more easily buy copies for friends and family. Look for that soon (I hope).

Permalink | Top

Sunbelt has discovered what looks to be a log of an instant message or IRC chat session between employees of a spyware peddling company. The original Russian language conversation has been translated to English and put into a .pdf file. The file is located at http://www.sunbelt-software.com/ihs/alex/crims.pdf.

The conversation is disgusting, to be perfectly honest. One person is describing, to at least one other person, the features he wants for a new malware.

The file dropped on the victim's system has to be very small, less than 2KB. Then it will download a larger program and install it. He wants it to disable any running antivirus or firewall. He wants it to open a backdoor so that it can be accessed remotely. It should ping a web server to let them know a new computer is infected.

The conversation moves on to discuss how to protect their trojan. Cloned processes will be watching each other's backs. They will try to hide them from process managers. If it is removed partially, it will need to be reinstalled.

It is one thing to see one of these hijackers installed. To see people discussing the things they intend to do and showing absolutely no regard for their victims.... I guess I wouldn't make a very good cop. I was absolutely disgusted after I read that log. People like this are the Al Quaeda of the internet.

Permalink | Top

Police in Morocco and Turkey, acting on information provided by the US FBI, have bagged two people believed to be responsible for creating and releasing the Zotob, Rtob and Mytob worms. Both men will be prosecuted locally rather than being extradited out of their respective countries.

Eighteen year-old Moroccan Farid Essebar is believed to be the original creator of these viruses. Twenty-one year-old Atilla Ekici of Turkey is believed to have paid Essebar for the code to use the worms for his own purposes. There are others connected to these worms and more arrests are expected.

Mytob first appeared around March of this year. Initially, it was thought to be a variant of the better-known MyDoom worm. Mytob installs a modified IRC chat client that logs into an IRC server. From there, it will respond to commands given to it in a chat room on the server.

Zotob appeared just two weeks ago, shortly after a flaw in Windows 2000 was disclosed publicly. Soon after it first appeared, other variants of the worm were released. If another variant of Zotob was found to be installed, the two worms would fight it out for control of the infected computer.

Some variants of Zotob also contained a blunt threat to antivirus makers; "the first antivirus to detect this will be killed in 24 hours". Many virus makers threaten to attack antivirus web sites with denial of service attacks. To my knowledge, no antivirus site ever has been taken down for very long.

Related Links:

http://www.vnunet.com/vnunet/news/2141584/turk-moroccan-arrested-zotob :: Turk and Moroccan arrested for Zotob worm
http://blogs.washingtonpost.com/securityfix/2005/08/arrest_of_zotob.html :: Suspected Zotob Worm Authors Arrested (Might require registration)
http://www.vnunet.com/vnunet/news/2127316/mydoom-variant-opens-backdoor-irc-channel :: MyDoom variant opens backdoor IRC channel
http://www.spywareinfo.com/newsletter/archives/2005/aug19.php#WWIII :: Zotob Outbreak Leads To Worm War III

Permalink | Top

New Zealand is considering a rather harsh anti-spam law. If a business sends just one unsolicited email to a New Zealander, they would be in violation of the proposed law (if I am reading it correctly). Businesses are required to seek permission before they can send an email to someone, as opposed to spamming those who fail to opt out.

For some unknown reason, Microsoft sent a representative to try and talk the NZ government out of this law. Ryan Hamlin of Microsoft tried to convince the government to make the law opt-out instead of opt-in. He even tried to convince them to rewrite the law to allow companies to continue to send email about new products even after someone opts out.

I am really confused by the actions of this person from Microsoft. By all appearances, it seemed like he was working as a spammer lobbyist, not an antispammer lobbyist. Allow companies to keep sending unwanted ads, even after a person has opted out? What in the world? Someone needs to remind the people in Redmond that the idea is to REDUCE spam, not INCREASE it.

Thankfully, the NZ government seems to have some common sense. New Zealand's Communications Minister, David Cunliffe, is quoted as saying "We decided it's going to be opt-in. End of story. Why should you have to opt out of spam?". Very good point.

I wish the US government had mandated opt-in instead of opt-out. Then perhaps spam would not make up roughly 80% of all email traffic, half of which seems to land in my inbox. Nothing has been more helpful to spammers than the US CAN-SPAM law. It actually makes spamming easier, not harder.

Every now and then, I am sorely tempted to turn off the email server at SpywareInfo and just be done with it.

Permalink | Top

Just as an example of how lazy I can be, I've only just registered a PO Box in the town I moved into almost exactly a year ago. The old box is located roughly 20 miles away. That is the main reason why I check it only once every two weeks or so.

The new mailing address where I'll receive legal threats, death threats, hate mail, junk mail and, hopefully (hint, hint) donations is:

James Healan
PO Box 71
Vidalia, GA USA 30475

If you have made a donation for the site already, thank you very much. You might also want to check out http://geekygimp.com/. That belongs to one of the regulars in our chat room. He is raising money which he then will donate during the annual MDA Labor Day Telethon.

Permalink | Top

Could someone who has bought or received a new (not used) Dell PC in the last 30 days contact me please? I have been hearing disturbing rumors and I would like to check them out. I would prefer to talk to someone who knows their way around their computer fairly well. The conversation will be somewhat technical.

Send me an email at mike@spywareinfo.com. Be sure to put "Dell PC" in the subject line so I can find it. You wouldn't believe my inbox. Emails with the subject line "re: spyware weekly newsletter" are summarily canned because of auto responders, so don't reply to this newsletter, whatever you do.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.